The number of disclosed vulnerabilities has been steadily increasing over the years. At the same time, organizations face significant challenges patching their systems, leading to a need to prioritize vulnerability remediation in order to reduce the risk of attacks. Unfortunately, existing vulnerability scoring systems are either vendor-specific, proprietary, or are only commercially available. Moreover, these and other prioritization strategies based on vulnerability severity are poor predictors of actual vulnerability exploitation because they do not incorporate new information that might impact the likelihood of exploitation. In this paper we present the efforts behind building a Special Interest Group (SIG) that seeks to develop a completely data-driven exploit scoring system that produces scores for all known vulnerabilities, that is freely available, and which adapts to new information. The Exploit Prediction Scoring System (EPSS) SIG consists of more than 170 experts from around the world and across all industries, providing crowd-sourced expertise and feedback. Based on these collective insights, we describe the design decisions and trade-offs that lead to the development of the next version of EPSS. This new machine learning model provides an 82\% performance improvement over past models in distinguishing vulnerabilities that are exploited in the wild and thus may be prioritized for remediation.

翻译：近年来，公开披露的漏洞数量持续攀升。与此同时，组织在系统补丁管理方面面临重大挑战，亟需通过漏洞修复优先级排序来降低攻击风险。遗憾的是，现有漏洞评分系统或依赖于特定厂商、具有专有性，或仅限商业使用。更关键的是，这些基于漏洞严重性的优先级排序策略在预测实际漏洞利用行为时准确性欠佳，因为它们未能整合可能影响利用可能性的新信息。本文介绍了构建一个特殊兴趣小组（SIG）的实践历程，该小组致力于开发完全数据驱动的漏洞利用评分系统，为所有已知漏洞提供免费可用的评分，并能动态适应新信息。漏洞利用预测评分系统（EPSS）SIG汇聚了来自全球各行业的170余位专家，通过众包方式提供专业知识和反馈。基于这些集体洞见，我们阐述了驱动下一代EPSS系统开发的设计决策与权衡要素。该新型机器学习模型在区分真实环境中被利用的漏洞方面，性能较以往模型提升82%，可优先纳入修复流程。